slide1
Download
Skip this Video
Download Presentation
Control Plane Resilience: The Method of Strong Detection Raj Kumar Vishal Misra Dan Rubenstein

Loading in 2 Seconds...

play fullscreen
1 / 23

Control Plane Resilience: The Method of Strong Detection Raj Kumar Vishal Misra Dan Rubenstein - PowerPoint PPT Presentation


  • 42 Views
  • Uploaded on

Control Plane Resilience: The Method of Strong Detection Raj Kumar Vishal Misra Dan Rubenstein. Allerton, 9/28/06. Routing Protocols with Misconfigurations. Routing Protocols in “friendly” environments are well understood, e.g., Link State: global knowledge, centralized approach

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Control Plane Resilience: The Method of Strong Detection Raj Kumar Vishal Misra Dan Rubenstein' - russell-ryan


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Control Plane Resilience: The Method of Strong Detection

Raj Kumar

Vishal Misra

Dan Rubenstein

Allerton, 9/28/06

routing protocols with misconfigurations
Routing Protocols with Misconfigurations
  • Routing Protocols in “friendly” environments are well understood, e.g.,
    • Link State: global knowledge, centralized approach
    • Distance Vector (a.k.a. Bellman-Ford): known to converge (quickly), adapt to changes, etc.
    • BGP (Path-Vector): some problems in converging when routes change, significant literature evaluating/understanding
  • Critical Assumption for correctness: Nodes follow the proper protocol procedure
  • Q: What happens when nodes don’t follow the protocol like they’re supposed to?
history shows misbehaving nodes can be a big problem

8765

7007

7074

6957

5165

2134

4345

History Shows: Misbehaving nodes can be a big problem
  • The infamous BGP AS 7007 Incident:
  • Consider routes to node 8765

Traffic goes where it is supposed to

nodes don t always behave

8765

7007

7074

6957

5165

2134

4345

Nodes don’t always “behave”
  • The infamous BGP AS 7007 Incident:

Traffic enters “black hole”

theory to detect bad nodes

Can I tell if my neighbors are giving me the correct information?

Theory to detect “Bad” Nodes
  • Rules:
    • “Bad” nodes can cheat, “Good” nodes can attempt to detect the bad nodes
    • “Good” nodes must limited to information provided by the routing protocol
      • Want to exchange additional info, modify the protocol
  • Challenge: When can a good node determine something isn’t right?
a node s info its state

A

B

D

E

A Node’s Info: Its State
  • A node’s state is its (only) view of the network
    • e.g., Distance-Vector (a.k.a. Bellman-Ford)

C

F

G

Note our convention: (I,J) in state table reports node I’s distance to J (not local node’s distance to J through I)

detection

N

X

Y

N

X

Y

1

3

Detection
  • Assume: Routes have stabilized (routing protocol inactive)
  • Q: For routing protocol P, given a good node’s state, what misconfigurations can it detect/observe within the network?
  • Note: A node can’t always detect a problem

D(X,Y) = 3

1

1

An undetectable misconfig at node N:

prior work weak detection
Prior Work: “Weak” Detection
  • Process for constructing a weak detection method:
    • Find a property that a node’s state should exhibit
    • Check the property in a node’s state
    • Declare misconfiguration in network if property is violated
  • A detection method is “Weak” if it fails to identify a misconfiguration that is detectable using another method (on same state)
a weak detection method symmetry
A Weak Detection Method: Symmetry
  • In an undirected graph, D(X,Y) = D(Y,X)
    • Here, D(A,B) = 1
    • But D(B,A) = 4
  • Using symmetry, found a misconfiguration
  • So why is Symmetry weak?
another weak detection method triangle inequality dmz 03
Another Weak Detection Method: Triangle Inequality [DMZ’03]
  • Triangle inequality should hold:

D(X,Z) ≤ D(X,Y) + D(Y,Z)

  • Violated here:
    • D(B,E) = 3
    • D(B,A) = 1
    • D(A,E) = 1
    • D(B,E) > D(B,A) + D(A,E)
  • Note: symmetry property not violated
  • Example shows why detection via symmetry is weak: failed to identify a detectable misconfiguration
  • So why is triangle inequality weak?
weakness of triangle inequality

D

Weakness of Triangle Inequality

A

  • Suppose graph edge lengths are all 1
  • No violation of symmetry or triangle inequality

C

B

Where to place edges?

A and B are our neighbors

C is distance 1 from B

D is distance 3 from both A & B: nowhere to put connecting edge

strong detection
“Strong” Detection
  • A detection method is “strong” if it always detects detectable misconfigurations
  • More formally, Let
    • μ be a method to detect misconfigurations
    • C = {N} be the set of valid networks (what the network might look like)
    • NR: the actual network (Note NRє C)
    • sn(N) is state of node n when the routing protocol is executed correctly (and stabilized) within a network N є C
    • s’n(NR) be the state actually computed at node n (possibly with misconfigurations) in network NR
  • μ is a strong detection method if one of the following holds whenever s’n(NR) ≠ sn(NR):
    • Detected: μ detects that sn(NR) ≠ s’n(NR)
    • Undetectable: No method μ’ exists that can detect sn(NR)≠s’n(NR)
a high complexity strong detection algorithm
A High-Complexity Strong Detection Algorithm
  • Input:
    • State s’n(NR) of node n for the “real” but unknown network NR
    • Description of set of allowable networks, C = {N}
  • Algorithm: For each N є C
    • Compute sn(N)
    • If sn(N) = s’n(NR) then return MISCONFIG UNDETECTABLE (N might be the valid network)
  • If no N є C matches, then misconfiguration detected

Algorithm Complexity is Ω(C), often huge!

low complexity strong detection
Low-Complexity Strong-Detection
  • Q: Can Strong Detection be achieved with low complexity?
  • A: Sometimes: we show how to do it for Bellman-Ford (a.k.a. Distance Vector)
strong detection for d v
Strong Detection for D.V.
  • Input at node n:
    • S’n(NR): a single node’s (steady state) state table that reports each neighbor’s (supposed) distance to all nodes
    • Set C of all allowable networks
      • defined by {Axy}: Axy is the set of allowable lengths of edges between node x and y
      • E.g., Axy = [0,3) U [4,4] U [7,100]

S’n(NR)

strong detection in d v at a node n

D

F

G

A

B

C

n

G

E

B

C

n

E

F

D

A

M

Strong Detection in D.V. at a node, n
  • Take node n’s state, s’n(NR)
  • Use this state to build the canonical graph, M є C
  • Simulate D.V. on M to generate simulated state sn(M)
  • We will prove:
    • If sn(M) ≠ s’n(NR), then misconfiguration detected
    • Else, either there is no misconfiguration, or it is undetectable (using node n’s state) because M might be the actual network

s’n (NR)

sn(M)

creating the canonical graph m for an undirected network
Creating the Canonical Graph, M for an undirected network
  • For each pair of nodes (x,y):
    • Create edge (x,y) with length exy = smallest value in Axy ≥ maxm є V(n) |d(m,x) – d(m,y)|
    • exy = ∞ if all values in Axy too small
  • Consider state table on left
    • eCD ≥ max(|12-5|, |13-9|, |8-12|) = 7
    • If ACD = [1,1] U [4,6] U [8,10], then eCD = 8
proving strongness of the canonical graph method
Proving Strongness of the Canonical Graph Method
  • N: a network for which sn(N) = s’n(NR), when such a network N exists
  • M: the canonical graph constructed by n from s’n(NR)
  • fxy: length of edge (x,y) in N (when the edge exists)
  • exy: length of edge (x,y) in M (edges always exist)
  • dG(x,y): shortest path distance from x to y in network G
  • Assume: all edges have positive length (easy to extend when edges can also have length 0)
  • High Level Sketch of Proof:
    • If N exists where sn(N) = s’n(NR), then sn(M) = sn(N) = s’n(NR)
    • If N does not exist, then sn(M) ≠ s’n(NR)
bounds on e xy

n

v

Bounds on exy
  • Lemma 1: If sn(N) = s’n(NR) for some N є C and edge (x,y) exists in N with length fxy, then exy ≤ fxy
  • Proof: In N, x & y’s distances to any neighbor v must differ by at most fxy, i.e.: For each neighbor v, |dN(v,y) – dN(v,x)| ≤ fxy
  • Hence maxm є V(n) |d(m,x) – d(m,y)| ≤ fxy
  • Recall exy = smallest value in Axy ≥ maxm є V(n) |d(m,x) – d(m,y)|
  • Since N є C, we have fxy є Axy and so exy ≤ fxy

y

x

fxy

slide20

in M:

exy

y

y

x

fxy

  • Lemma 2: If sn(N) = s’n(NR) for some N є C, then dM(v,x) ≤ dN(v,x) for all neighbors v and all nodes x
  • Proof: by contradiction. Select x with smallest dN(v,x) where dM(v,x) > dN(v,x)
  • Let y be a preceding node on a shortest path from v to x in N: fxy is the edge connecting y to x on this path, so dN(v,y) < dN(v,x) and |dN(v,x) – dN(v,y)| = fxy
  • dN(v,y) < dN(v,x), hence y not blue dM(v,y) ≤ dN(v,y), so dM(v,y) ≤ dN(v,y) < dN(v,x) < dM(v,x)
  • fxy = |dN(v,x) – dN(v,y)| < |dM(v,x) – dM(v,y)| ≤ exy

Blue nodes t satisfydM(v,t) > dN(v,t)

v

x

n

Distance from v in N

Contradicts Lemma 1 (which states exy ≤ fxy)!!

slide21

in N:

v

y

y

exy

x

Blue nodes t satisfydM(v,t) < dN(v,t)

  • Lemma 3: If sn(N) = s’n(NR) for some N є C, then dM(v,x) ≥ dN(v,x) for all neighbors v and all nodes x
  • Proof: by contradiction. Select x with smallest dM(v,x) where dM(v,x) < dN(v,x)
  • Let y be the node preceding x on a shortest path from v to x in M where edge exy connects y to x on this path: hence dM(v,y) < dM(v,x) and exy = dM(v,x) - dM(v,y)
  • dM(v,y) < dM(v,x), hence y not blue dM(v,y) ≥ dN(v,y)
  • Hence exy = dM(v,x) - dM(v,y) < dN(v,x) - dN(v,y) = | dN(v,x) - dN(v,y) |

x

n

Distance from v in M

But exy = maxm |dN(m,x) – dN(m,y)|, and

maxm |dN(m,x) – dN(m,y)|≥ |dN(v,x) – dN(v,y)| !! Contradiction!

the main result
The Main Result
  • Some N є C produces state sn(N) = s’n(NR)  sn(M) = s’n(NR)
  • Proof:
    •  Follows from Lemma 2 (dM(v,x) ≤ dN(v,x))and Lemma 3(dM(v,x) ≥ dN(v,x))
    •  If no N є C produces state s’n(N), since M є C, M cannot produce state = s’n(N)
  • In other words, only need to check if sn(M) = s’n(NR)
  • Complexity: O(|V|3)
    • Construct the canonical graph, M
    • Simulate Bellman-Ford
    • Compare State Tables
extensions future directions
Extensions / Future Directions
  • Same idea works for:
    • Directed graphs
    • Using state info from a set of trusted nodes
  • Similar canonical graph construction works for path-vector variants
  • Future Directions:
    • Identifying the offending node (not just its existence)
    • Performing Strong Detection for other routing protocols (Ad-hoc network, geographical positioning)
ad